Western Digital fixes remote execution bug in My Cloud Mirror

Cloudy storage kit needs firmware patch, will anybody notice?

Western Digital has issued a fix for its My Cloud Mirror backup disks, after ESET "detection engineer" Kacper Szurek found an authentication bypass with remote code execution in the system.

My Cloud Mirror is a backup hard drive product sold with personal cloud storage, which means the hardware might be left Internet-visible.

Szurek writes that the login form wasn't protected against command injection.

The “exec() function is used without using escapeshellarg() or escapeshellcmd().

“So we can create string which looks like this: wto -n "a" || other_command || "" -g which means that wto and other_command will be executed.”

There's a bunch of other bugs in the My Cloud Mirror 2.11.153 firmware, Szurek writes, mostly relating to parameters that aren't escaped.

The affected files in the firmware include index.php, chk_vv_sharename.php, modUserName.php, upload.php, and a gem in login_checker.php.

“Inside lib/login_checker.php there is login_check() function which is used to check if user is logged, but it’s possible to bypass this function because it simply checks if $_COOKIE['username'] and $_COOKIE['isAdmin'] exist.”

Western Digital fixed the issues in release 2.11.157 in late December – so make sure your box has updated itself. ®